February 22, 2011
Third-party service provider risk and the Unfair and Deceptive Acts and Practices rule
Financial institutions and other financial service providers commonly provide products and services through arrangements with third parties. When appropriately managed, third-party relationships can enhance competitiveness and diversification of goods and services. However, these third-party arrangements, absent adequate risk management controls, can expose companies to reputational, operational, and compliance risks.
One possible measurement of a financial institution's reputational risk is how well the institution complies with the Unfair and Deceptive Acts and Practices (UDAP, or Regulation AA). While UDAP applies more specifically to credit card issuers and consumers regarding disclosure rules and restrictions on lender practices, it can also apply to third parties when a financial institution outsources functions of its card programs—for example, credit or stored value.
Increased use of third-party arrangements in consumer products
The Federal Deposit Insurance Corporation (FDIC) recently examined how financial institutions have used third-party providers to roll out new and innovative products and services during the current economic challenges. The FDIC released its findings in the Supervisory Insights Winter 2010 newsletter, which revealed that financial institutions are increasingly relying on third-party vendors. Specifically, over 60 percent of credit card programs that financial institutions offer are the assets of third parties. Additionally, of the 19 percent of financial institutions surveyed that offered stored-value cards, 94 percent involved a third-party service provider.
Costly lessons for violating UDAP
Noncompliance with UDAP generally occurs when a financial institution outsources the development and administration of a new credit card product to a third party unfamiliar with the necessary disclosure requirements regarding finance charges and fees, for example. Complaints alleging UDAP violations generally stem from credit card marketing products released by a financial institution’s third party vendor. These types of practices can potentially expose a financial institution to a host of legal and regulatory sanctions.
Recent enforcement actions against financial institutions that have violated UDAP due to poor oversight of third-party service providers have proven costly. If a financial institution insufficiently supervises a third-party vendor engaging in acts that meet the standards for deception—for example, the third party knowingly uses representations or omissions likely to mislead a consumer—it could face enforcement action.
Incorporating UDAP risk into an existing vendor-management risk tool kit
Data security is certainly an integral aspect of managing third-party service provider risk, but it is only one part of the picture. By also including UDAP risk management in their tool kits, financial institutions can better position themselves to manage their overall risk in relation to third-party service providers.
In recent years, the FDIC and the Board of Governors of the Federal Reserve System released joint guidance on the need for a financial institution to include UDAP risks with regard to third-party service providers. Some of the key components the guidance identifies are maintaining awareness of the risks associated with outsourcing, establishing controls over such relationships, exercising proper due diligence when identifying, selecting, and maintaining a third party, and creating comprehensive written contracts.
The joint guidance recommends that the financial institutions relying on third-party service providers maintain UDAP compliance by paying close attention to the service providers' card program promotional materials, advertisements, claims, and representations that could mislead a target audience regarding the cost, availability, or terms of the product or service.
Taking the needed precautions
By outsourcing to a partner, a financial institution places a great deal of trust in that provider, but that's no excuse for poor due diligence and oversight, which could readily lead to violations of the UDAP. The financial institution successfully monitoring its UDAP compliance specifically tailors its approach to the third party with which it has a relationship.
Financial service providers must look beyond the data protection measures of third-party service providers to ensure they are also in compliance with UDAP requirements.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Third-party service provider risk and the Unfair and Deceptive Acts and Practices rule: